cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
751
Views
6
Helpful
1
Replies

certificate profile match against local ISE user database

rmueller@cisco.com
Cisco Employee
Cisco Employee

Hi all,

my customer would like to match the CN of user certifcate during EAP-TLS authentication against the usernames within the local user database on ISE, retrieve group membership and appy authorization profile based on that.. If I understand the config guide, this is not possible today, customer needs LDAP or AD to do that. My customer sais, on ACS this is possible.

Is there any other way to achieve that on ISE?

Thanks in advance.

Roland

1 Accepted Solution

Accepted Solutions

Charlie Moreton
Cisco Employee
Cisco Employee

You are right on both counts.  On ACS you can use EAP-TLS to authenticate the internal users.  Here is the table from the User Guide for Cisco Secure Access Control System 5.8 showing that this is possible:

ACS-EAP-AUTHC.PNG

And here is the table from the Cisco Identity Services Engine Administrator's Guide, Release 2.2 showing that EAP-TLS authentication to the internal users identity store is not supported:

ISE-EAP-AUTHC.PNG

These are currently the latest releases for both products.  Since we cannot discuss Roadmap items, I would suggest you reach out to the Product Management Team for further information.

View solution in original post

1 Reply 1

Charlie Moreton
Cisco Employee
Cisco Employee

You are right on both counts.  On ACS you can use EAP-TLS to authenticate the internal users.  Here is the table from the User Guide for Cisco Secure Access Control System 5.8 showing that this is possible:

ACS-EAP-AUTHC.PNG

And here is the table from the Cisco Identity Services Engine Administrator's Guide, Release 2.2 showing that EAP-TLS authentication to the internal users identity store is not supported:

ISE-EAP-AUTHC.PNG

These are currently the latest releases for both products.  Since we cannot discuss Roadmap items, I would suggest you reach out to the Product Management Team for further information.